The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released two industrial control systems (ICS) advisories highlighting hardware vulnerabilities in Mitsubishi Electric and TrendMakers equipment, deployed in the commercial facilities sector. The alerts detail current security flaws, potential exploits, and mitigation steps. CISA urged users and administrators to review the advisories for technical specifics and recommended defenses.
In an advisory, CISA revealed that Mitsubishi Electric air conditioning systems have a critical vulnerability caused by missing authentication for key functions. “Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system.”
Mihály Csonka reported this vulnerability to Mitsubishi Electric.
An authentication bypass vulnerability exists in Mitsubishi Electric air conditioning systems. An attacker may bypass authentication to control the air conditioning systems illegally or disclose information from them by exploiting this vulnerability. In addition, the attacker may tamper with the firmware of the affected products using the disclosed information.
CVE-2025-3699 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 9.8 and a CVSS v4 base score of 9.3.
Mitsubishi Electric is preparing updated versions of its AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, and TW-50A products to address this vulnerability.
In the meantime, the company urges users to configure air conditioning systems as recommended, including restricting access from untrusted networks and hosts, limiting physical access to the systems and connected computers, and ensuring antivirus software, operating systems, and web browsers are fully updated on any computers that connect to the systems.
CISA also disclosed that TrendMakers Sight Bulb Pro Firmware ZJ_CG32-2201 Version 8.57.83 and earlier contains vulnerabilities tied to weak or broken cryptographic algorithms and improper neutralization of special elements, leading to command injection risks. “Successful exploitation of these vulnerabilities could allow an attacker to capture sensitive information and execute arbitrary shell commands on the target device as root if connected to the local network segment.”
During the initial setup of the device, the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES (Advanced Encryption Standard) Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro, which may include sensitive information such as network credentials. CVE-2025-6521 has been assigned to these vulnerabilities. It carries a CVSS v3 base score of 7.6 and a CVSS v4 base score of 5.3.
Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well-formed JSON string. CVE-2025-6522 has been assigned to this vulnerability, with a CVSS v3 base score of 5.4 and a CVSS v4 base score of 5.2.
Fahim Balouch reported these vulnerabilities to CISA. TrendMakers did not respond to CISA’s request for coordination.
CISA recommends that device users take defensive measures to reduce the risk of exploitation. The agency notes that the encryption key is sent in cleartext only during the initial device setup when the Sight Bulb Pro acts as an access point and advises implementing physical security controls to reduce the risk of remote network captures or monitoring.
Organizations should also use network monitoring or signature-based detection tools to identify malicious activity. CISA further reminds organizations to conduct a thorough impact analysis and risk assessment before deploying any defensive measures.
